Data model selection and application based on data sources

ABSTRACT

Embodiments include generating data models that may give semantic meaning for unstructured or structured data that may include data generated and/or received by search engines, including a time series engine. A method includes generating a data model for data stored in a repository. Generating the data model includes generating an initial query string, executing the initial query string on the data, generating an initial result set based on the initial query string being executed on the data, determining one or more candidate fields from one or results of the initial result set, generating a candidate data model based on the one or more candidate fields, iteratively modifying the candidate data model until the candidate data model models the data, and using the candidate data model as the data model.

RELATED APPLICATIONS

The present application is a Continuation of U.S. application Ser. No.14/815,884 filed Jul. 31, 2015, which is a Continuation of U.S.application Ser. No. 14/611,232 filed Jan. 31, 2015, now U.S. Pat. No.9,128,980, issued Sep. 8, 2015, which is a Continuation of U.S.application Ser. No. 14/067,203 filed Oct. 30, 2013, now U.S. Pat. No.8,983,994, issued Mar. 17, 2015, which is a Continuation of U.S.application Ser. No. 13/607,117, filed Sep. 7, 2012, now U.S. Pat. No.8,788,525, issued Jul. 22, 2014, the entire contents of the foregoingare hereby incorporated by reference as if fully set forth herein. Theapplicant(s) hereby rescind any disclaimer of claim scope in the parentapplication(s) or the prosecution history thereof and advise the USPTOthat the claims in this application may be broader than any claim in theparent application(s).

BACKGROUND OF THE INVENTION

This invention relates generally to information organization, datamodeling, search, and retrieval and more particularly, the generatingand utilizing data models in search, and retrieval of search enginedata.

The rapid increase in the production and collection of machine generateddata has created relatively large data sets that are difficult tosearch. The machine data can include sequences of time stamped recordsthat may occur in one or more usually continuous streams. Further,machine data often represents some type of activity made up of discreteevents.

Often, searching large data sets requires different ways to expresssearch criteria. Search tools today typical allow users to search by themost frequently occurring terms or keywords within the data andgenerally have little notion of event based searching. Given the largevolume and typically repetitive characteristics of machine data, usersoften need to start by narrowing the set of potential search resultsusing event-based search mechanisms and then, through examination of theresults, choose one or more keywords to add to their search parameters.Timeframes and event-based metadata like frequency, distribution, andlikelihood of occurrence are especially important when searching data,but can be difficult to achieve with current search tools.

Also, users often generate ad-hoc queries to produce results from datarepositories. In some cases, generating queries sufficient forretrieving the desired results may require an undesirably high-level ofknowledge about the data domain and/or the operation/structure of thedata repository. Thus, systems related to the searching of relativelylarge sets of data are the subject of considerable innovation.

BRIEF DESCRIPTION OF THE DRAWINGS

Non-limiting and non-exhaustive embodiments are described with referenceto the following drawings. In the drawings, like reference numeralsrefer to like parts throughout the various figures unless otherwisespecified.

For a better understanding, reference will be made to the followingDescription Of The Various Embodiments, which is to be read inassociation with the accompanying drawings, wherein:

FIG. 1 illustrates a system environment in which various embodiments maybe implemented;

FIG. 2A shows a schematic drawing of a rack of blade servers;

FIG. 2B illustrates a schematic embodiment of a blade server that may beincluded in a rack of blade servers such as that shown in FIG. 2A;

FIG. 3 shows a schematic embodiment of a mobile device;

FIG. 4 illustrates a schematic embodiment of a network device;

FIG. 5 illustrates for at least one of the various embodiments, alogical structure for data objects that may comprise a data model;

FIG. 6 illustrates for at least one of the various embodiments, thelogical data structure of fields that may be part of a data modelobject;

FIG. 7 illustrates for at least one of the various embodiments, alogical representation of a data model that may be generated and/oremployed by the data modeling application;

FIG. 8 illustrates a logical overview of a system for at least one ofthe various embodiments for generating reports using a data model;

FIG. 9 shows an overview flow chart for at least one of the variousembodiments for process for data modeling for machine data for semanticsearching;

FIG. 10 shows an overview of a process for generating a data modelobject in accordance with at least one of the various embodiments;

FIG. 11 shows an overview flowchart of a process for generating fieldsthat may comprise a data model object in accordance with at least one ofthe various embodiments;

FIG. 12 shows an overview flowchart for a process for generatingtransactions that may be associated with a data model object and/or datamodel in accordance with at least one of the various embodiments;

FIG. 13 illustrates a flowchart showing an overview of a process forgenerating a data model from query results in accordance with at leastone of the various embodiments;

FIG. 14 illustrates a flowchart showing an overview of a process forgenerating query strings that correspond to a data model;

FIG. 15 shows a flow chart for a process for generating a pivot reportmodel in accordance with at least one of the various embodiments;

FIG. 16 shows a flow chart for a process for generating a pivot reportfrom a pivot report model and a data model in accordance with at leastone of the various embodiments;

FIG. 17 illustrates a screenshot of a user-interface that shows for atleast one of the various embodiments, a user-interface for at leastviewing a data model;

FIG. 18 illustrates a screenshot of a user-interface for at least one ofthe various embodiments, for editing and/or creating data model objectsin a data model;

FIG. 19 illustrates a screenshot of a user-interface that may be usedfor generating pivot reports in accordance with at least one of thevarious embodiments;

FIG. 20 includes a code listing of a data model object that implementsat least a portion of a pivot report model, in accordance with at leastone of the various embodiments; and

FIG. 21 includes a code listing of a portion of a data model inaccordance with at least one of the various embodiments.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

Various embodiments now will be described more fully hereinafter withreference to the accompanying drawings, which form a part hereof, andwhich show, by way of illustration, specific exemplary embodiments bywhich the invention may be practiced. The embodiments may, however, beembodied in many different forms and should not be construed as limitedto the embodiments set forth herein; rather, these embodiments areprovided so that this disclosure will be thorough and complete, and willfully convey the scope of the embodiments to those skilled in the art.Among other things, the various embodiments may be methods, systems,media or devices. Accordingly, the various embodiments may take the formof an entirely hardware embodiment, an entirely software embodiment oran embodiment combining software and hardware aspects. The followingdetailed description is, therefore, not to be taken in a limiting sense.

Throughout the specification and claims, the following terms take themeanings explicitly associated herein, unless the context clearlydictates otherwise. The phrase “in one embodiment” as used herein doesnot necessarily refer to the same embodiment, though it may.Furthermore, the phrase “in another embodiment” as used herein does notnecessarily refer to a different embodiment, although it may. Thus, asdescribed below, various embodiments may be readily combined, withoutdeparting from the scope or spirit of the invention.

In addition, as used herein, the term “or” is an inclusive “or”operator, and is equivalent to the term “and/or,” unless the contextclearly dictates otherwise. The term “based on” is not exclusive andallows for being based on additional factors not described, unless thecontext clearly dictates otherwise. In addition, throughout thespecification, the meaning of “a,” “an,” and “the” include pluralreferences. The meaning of “in” includes “in” and “on.”

For example embodiments, the following terms are also used hereinaccording to the corresponding meaning, unless the context clearlydictates otherwise.

The term “machine data” as used herein may include server logs and othertypes of machine data (i.e., data generated by machines). In at leastone of the various embodiments, machine data streams may be time stampedto create time stamped events. For example, information processingenvironments, such as, firewalls, routers, web servers, applicationservers and databases may generate streams of time series data in theform of events. In some cases, events may be generated hundreds orthousands of times per second.

The term “time series data” as used herein is data where each datarecord has a timestamp associated with it. A “Time Series Search Engine”is a search engine which, in at least one of the various embodiments,can perform queries on the stored data limited by a time range (such asbetween one time and another, or data earlier than a given time, or thelike) and/or generates results ordered by time and/or timestamps (suchas from earliest-to-latest or vice versa).

The term “data repository” as used herein refers to data sources thatmay contain unstructured or structured data, such as databases, filesystems, search engine indexes, or the like. In at least one of thevarious embodiments, data repository may be a live stream of data. Inother cases, data repository may be static data, or combination of livedata or static data. In at least one of the various embodiments, datarepositories may provide interfaces and/or application programminginterfaces (API) for receiving requests, queries, or searches regardingthe data stored in the data repository.

The term “query string” as used herein refers to commands and/orsequences of commands that are used for querying, searching and/orretrieving data from a data repository. Queries generally produce aresult or results based on the form and structure of the particularquery string. Query results may be sorted and grouped based on thestructure and form of the query string. In at least one of the variousembodiments, query strings may include operators and functions forcalculating values based on the stored records, including functions thatproduce result sets that may include statistics and metrics about thedata stored in data repository. Structured Query Language (SQL) is awell-known query language often used to form queries for relationaldatabases. However, the various embodiments are not limited to usingSQL-like formatting for query strings. Accordingly, other well-knownquery languages and/or custom query languages may be employed consistentwith what is claimed herein.

The following briefly describes the embodiments of the invention inorder to provide a basic understanding of some aspects of the invention.This brief description is not intended as an extensive overview. It isnot intended to identify key or critical elements, or to delineate orotherwise narrow the scope. Its purpose is merely to present someconcepts in a simplified form as a prelude to the more detaileddescription that is presented later.

Briefly stated, various embodiments are directed towards generating datamodels that may at least define semantic meaning for modelingunstructured data and/or structured data that may be stored in a datarepository. In at least one of the various embodiments, unstructureddata may include data generated and/or received by search engines,including a time series search engine. Also, in at least one of thevarious embodiments, unstructured data may be received and/or storedabsent pre-defined data schemas or formats. In at least one of thevarious embodiments, data models also may be generated to provide atleast semantic meaning to structured data that may be stored inStructured Query Language (SQL) databases, Extensible Markup Language(XML) files, or the like.

In at least one of the various embodiments, the data model may bedetermined such that it at least provides semantic meaning tounstructured data. In at least one of the various embodiments, datamodels may be generated to provide at least semantic meaning tounstructured data without creating a static database schema. Further, inat least one of the various embodiments, one or more data models may begenerated such that the organization of the unstructured may remainunmodified. Thus, data models, in at least one of the variousembodiments, may provide semantic meaning to unstructured data withoutmodifying the unstructured data (e.g., no side-effects).

In at least one of the various embodiments, a data model may be composedof one or more data model objects. In at least one of the variousembodiments, data model objects may have a hierarchy analogous to anobject-oriented programming class hierarchy. Further, in at least one ofthe various embodiments, data model objects may include fields, filters,constraints, or the like, that correspond to the data the data modelobject represents.

In at least one of the various embodiments, users may employ a datamodeling application to produce a report using search objects that maybe part of, or associated with the data model. The data modelingapplication may employ the search objects and the data model to generatea query string for searching a data repository to produce a result set.In at least one of the various embodiments, the data modelingapplication may map the result set data to data model objects that maybe used to generate reports.

In at least one of the various embodiments, a search object may be anindividual data model object selected by a user to generate searchresults. In this case, a search object may be a data model objectselected from among the data model objects that comprise a data model.Also, in at least one of the various embodiments, search objects may bespecialized objects that may include one or more data model objects,portions of one or more data model objects, or the like. In someembodiments, search objects may include fields, filters, constraints,that may be separate from those comprising data model objects.

Illustrative Operating Environment

FIG. 1 shows components of an environment in which various embodimentsmay be practiced. Not all of the components may be required to practicethe various embodiments, and variations in the arrangement and type ofthe components may be made without departing from the spirit or scope ofthe various embodiments.

In at least one embodiment, cloud network 102 enables one or morenetwork services for a user based on the operation of correspondingarrangements 104 and 106 of virtually any type of networked computingdevice. As shown, the networked computing devices may include serverdata modeling server 112, indexing server 114, enclosure of bladeservers 110, enclosure of server computers 116, super computer networkdevice 118, and the like. Although not shown, one or more mobile devicesmay be included in cloud network 102 in one or more arrangements toprovide one or more network services to a user. Also, these arrangementsof networked computing devices may or may not be mutually exclusive ofeach other.

Additionally, the user may employ a plurality of virtually any type ofwired or wireless networked computing devices to communicate with cloudnetwork 102 and access at least one of the network services enabled byone or more of arrangements 104 and 106. These networked computingdevices may include tablet mobile device 122, handheld mobile device124, wearable mobile device 126, desktop network device 120, and thelike. Although not shown, in various embodiments, the user may alsoemploy notebook computers, desktop computers, microprocessor-based orprogrammable consumer electronics, network appliances, mobiletelephones, smart telephones, pagers, radio frequency (RF) devices,infrared (IR) devices, Personal Digital Assistants (PDAs), televisions,integrated devices combining at least one of the preceding devices, andthe like.

One embodiment of a mobile device is described in more detail below inconjunction with FIG. 3. Generally, mobile devices may include virtuallyany substantially portable networked computing device capable ofcommunicating over a wired, wireless, or some combination of wired andwireless network.

In various embodiments, network 102 may employ virtually any form ofcommunication technology and topology. For example, network 102 caninclude local area networks Personal Area Networks (PANs), (LANs),Campus Area Networks (CANs), Metropolitan Area Networks (MANs) Wide AreaNetworks (WANs), direct communication connections, and the like, or anycombination thereof. On an interconnected set of LANs, including thosebased on differing architectures and protocols, a router acts as a linkbetween LANs, enabling messages to be sent from one to another. Inaddition, communication links within networks may include virtually anytype of link, e.g., twisted wire pair lines, optical fibers, open airlasers or coaxial cable, plain old telephone service (POTS), waveguides, acoustic, full or fractional dedicated digital communicationlines including T1, T2, T3, and T4, and/or other carrier and other wiredmedia and wireless media. These carrier mechanisms may includeE-carriers, Integrated Services Digital Networks (ISDNs), universalserial bus (USB) ports, Firewire ports, Thunderbolt ports, DigitalSubscriber Lines (DSLs), wireless links including satellite links, orother communications links known to those skilled in the art. Moreover,these communication links may further employ any of a variety of digitalsignaling technologies, including without limit, for example, DS-0,DS-1, DS-2, DS-3, DS-4, OC-3, OC-12, OC-48, or the like. Furthermore,remotely located computing devices could be remotely connected tonetworks via a modem and a temporary communication link. In essence,network 102 may include virtually any communication technology by whichinformation may travel between computing devices. Additionally, in thevarious embodiments, the communicated information may include virtuallyany kind of information including, but not limited to processor-readableinstructions, data structures, program modules, applications, raw data,control data, archived data, video data, voice data, image data, textdata, and the like.

Network 102 may be partially or entirely embodied by one or morewireless networks. A wireless network may include any of a variety ofwireless sub-networks that may further overlay stand-alone ad-hocnetworks, and the like. Such sub-networks may include mesh networks,Wireless LAN (WLAN) networks, Wireless Router (WR) mesh, cellularnetworks, pico networks, PANs, Open Air Laser networks, Microwavenetworks, and the like. Network 102 may further include an autonomoussystem of intermediate network devices such as terminals, gateways,routers, switches, firewalls, load balancers, and the like, which arecoupled to wired and/or wireless communication links. These autonomousdevices may be operable to move freely and randomly and organizethemselves arbitrarily, such that the topology of network 102 may changerapidly.

Network 102 may further employ a plurality of wired and wireless accesstechnologies, e.g., 2nd (2G), 3rd (3G), 4th (4G), 5^(th) (5G) generationwireless access technologies, and the like, for mobile devices. Thesewired and wireless access technologies may also include Global Systemfor Mobile communication (GSM), General Packet Radio Services (GPRS),Enhanced Data GSM Environment (EDGE), Code Division Multiple Access(CDMA), Wideband Code Division Multiple Access (WCDMA), Long TermEvolution Advanced (LTE), Universal Mobile Telecommunications System(UMTS), Orthogonal frequency-division multiplexing (OFDM), Wideband CodeDivision Multiple Access (W-CDMA), Code Division Multiple Access 2000(CDMA2000), Evolution-Data Optimized (EV-DO), High-Speed Downlink PacketAccess (HSDPA), IEEE 802.16 Worldwide Interoperability for MicrowaveAccess (WiMax), ultra wide band (UWB), user datagram protocol (UDP),transmission control protocol/Internet protocol (TCP/IP), any portion ofthe Open Systems Interconnection (OSI) model protocols, Short MessageService (SMS), Multimedia Messaging Service (MMS), Web Access Protocol(WAP), Session Initiation Protocol/Real-time Transport Protocol(SIP/RTP), or any of a variety of other wireless or wired communicationprotocols. In one non-limiting example, network 102 may enable a mobiledevice to wirelessly access a network service through a combination ofseveral radio network access technologies such as GSM, EDGE, SMS, HSDPA,LTE and the like.

Enclosure of Blade Servers

FIG. 2A shows one embodiment of an enclosure of blade servers 200, whichare also illustrated in FIG. 1. Enclosure of blade servers 200 mayinclude many more or fewer components than those shown in FIG. 2A.However, the components shown are sufficient to disclose an illustrativeembodiment. Generally, a blade server is a stripped down servercomputing device with a modular design optimized to minimize the use ofphysical space and energy. A blade enclosure can include several bladeservers and provide each with power, cooling, network interfaces,input/output interfaces, and resource management. Although not shown, anenclosure of server computers typically includes several computers thatmerely require a network connection and a power cord connection tooperate. Each server computer often includes redundant components forpower and interfaces.

As shown in the figure, enclosure 200 contains power supply 204, andinput/output interface 206, rack logic 208, several blade servers 210,212, 214, and 216, and backplane 202. Power supply 204 provides power toeach component and blade server within the enclosure. The input/outputinterface 206 provides internal and external communication forcomponents and blade servers within the enclosure. Backplane 208 canenable passive and active communication of power, logic, input signals,and output signals for each blade server.

Illustrative Blade Server

FIG. 2B illustrates an illustrative embodiment of blade server 250,which may include many more or fewer components than those shown. Asshown in FIG. 2A, a plurality of blade servers may be included in oneenclosure that shares resources provided by the enclosure to reducesize, power, and cost.

Blade server 250 includes processor 252 which communicates with memory256 via bus 254. Blade server 250 also includes input/output interface290, processor-readable stationary storage device 292, andprocessor-readable removable storage device 294. Input/output interface290 can enable blade server 250 to communicate with other blade servers,mobile devices, network devices, and the like. Interface 290 may providewireless and/or wired communication links for blade server.Processor-readable stationary storage device 292 may include one or moredevices such as an electromagnetic storage device (hard disk), solidstate hard disk (SSD), hybrid of both an SSD and a hard disk, and thelike. In some configurations, a blade server may include multiplestorage devices. Also, processor-readable removable storage device 294enables processor 252 to read non-transitive storage media for storingand accessing processor-readable instructions, modules, data structures,and other forms of data. The non-transitive storage media may includeFlash drives, tape media, floppy media, and the like.

Memory 256 may include Random Access Memory (RAM), Read-Only Memory(ROM), hybrid of RAM and ROM, and the like. As shown, memory 256includes operating system 258 and basic input/output system (BIOS) 260for enabling the operation of blade server 250. In various embodiments,a general-purpose operating system may be employed such as a version ofUNIX, LINUX™, a specialized server operating system such as Microsoft'sWindows Server™ and Apple Computer's IoS Server™, or the like.

Memory 256 further includes one or more data storage 270, which can beutilized by blade server 250 to store, among other things, applications280 and/or other data. Data stores 270 may include program code, data,algorithms, and the like, for use by processor 252 to execute andperform actions. In one embodiment, at least some of data store 270might also be stored on another component of blade server 250,including, but not limited to, processor-readable removable storagedevice 294, processor-readable stationary storage device 292, or anyother processor-readable storage device (not shown). Data storage 270may include, for example, data models 274, indexes 276, orconfigurations 278.

Applications 280 may include processor executable instructions which,when executed by blade server 250, transmit, receive, and/or otherwiseprocess messages, audio, video, and enable communication with othernetworked computing devices. Examples of application programs includedatabase servers, file servers, calendars, transcoders, and so forth.Applications 280 may include, for example, data modeling application282, and indexing application 284.

Human interface components (not pictured), may be remotely associatedwith blade server 250, which can enable remote input to and/or outputfrom blade server 250. For example, information to a display or from akeyboard can be routed through the input/output interface 290 toappropriate peripheral human interface components that are remotelylocated. Examples of peripheral human interface components include, butare not limited to, an audio interface, a display, keypad, pointingdevice, touch interface, and the like.

Illustrative Mobile Device

FIG. 3 shows one embodiment of mobile device 300 that may include manymore or less components than those shown. Mobile device 300 mayrepresent, for example, at least one embodiment of mobile devices shownin FIG. 1.

Mobile device 300 includes processor 302 in communication with memory304 via bus 328. Mobile device 300 also includes power supply 330,network interface 332, audio interface 356, display 350, keypad 352,illuminator 354, video interface 342, input/output interface 338, hapticinterface 364, global positioning systems (GPS) receiver 358, Open airgesture interface 360, temperature interface 362, camera(s) 340,projector 346, pointing device interface 366, processor-readablestationary storage device 334, and processor-readable removable storagedevice 336. Power supply 330 provides power to mobile device 300. Arechargeable or non-rechargeable battery may be used to provide power.The power may also be provided by an external power source, such as anAC adapter or a powered docking cradle that supplements and/or rechargesthe battery. And in one embodiment, although not shown, a gyroscope maybe employed within mobile device 300 to measuring and/or maintaining anorientation of mobile device 300.

Mobile device 300 may optionally communicate with a base station (notshown), or directly with another computing device. Network interface 332includes circuitry for coupling mobile device 300 to one or morenetworks, and is constructed for use with one or more communicationprotocols and technologies including, but not limited to, protocols andtechnologies that implement any portion of the Open SystemsInterconnection (OSI) model for mobile communication (GSM), codedivision multiple access (CDMA), time division multiple access (TDMA),user datagram protocol (UDP), transmission control protocol/Internetprotocol (TCP/IP), Short Message Service (SMS), Multimedia MessagingService (MMS), general packet radio service (GPRS), Web Access Protocol(WAP), ultra wide band (UWB), IEEE 802.16 Worldwide Interoperability forMicrowave Access (WiMax), Session Initiation Protocol/Real-timeTransport Protocol (SIP/RTP), General Packet Radio Services (GPRS),Enhanced Data GSM Environment (EDGE), Wideband Code Division MultipleAccess (WCDMA), Long Term Evolution Advanced (LTE), Universal MobileTelecommunications System (UMTS), Orthogonal frequency-divisionmultiplexing (OFDM), Code Division Multiple Access 2000 (CDMA2000),Evolution-Data Optimized (EV-DO), High-Speed Downlink Packet Access(HSDPA), or any of a variety of other wireless communication protocols.Network interface 332 is sometimes known as a transceiver, transceivingdevice, or network interface card (NIC).

Audio interface 356 is arranged to produce and receive audio signalssuch as the sound of a human voice. For example, audio interface 356 maybe coupled to a speaker and microphone (not shown) to enabletelecommunication with others and/or generate an audio acknowledgementfor some action. A microphone in audio interface 356 can also be usedfor input to or control of mobile device 300, e.g., using voicerecognition, detecting touch based on sound, and the like.

Display 350 may be a liquid crystal display (LCD), gas plasma,electronic ink, light emitting diode (LED), Organic LED (OLED) or anyother type of light reflective or light transmissive display that can beused with a computing device. Display 350 may also include a touchinterface 344 arranged to receive input from an object such as a stylusor a digit from a human hand, and may use resistive, capacitive, surfaceacoustic wave (SAW), infrared, radar, or other technologies to sensetouch and/or gestures. Projector 346 may be a remote handheld projectoror an integrated projector that is capable of projecting an image on aremote wall or any other reflective object such as a remote screen.

Video interface 342 may be arranged to capture video images, such as astill photo, a video segment, an infrared video, or the like. Forexample, video interface 342 may be coupled to a digital video camera, aweb-camera, or the like. Video interface 342 may comprise a lens, animage sensor, and other electronics. Image sensors may include acomplementary metal-oxide-semiconductor (CMOS) integrated circuit,charge-coupled device (CCD), or any other integrated circuit for sensinglight.

Keypad 352 may comprise any input device arranged to receive input froma user. For example, keypad 352 may include a push button numeric dial,or a keyboard. Keypad 352 may also include command buttons that areassociated with selecting and sending images. Illuminator 354 mayprovide a status indication and/or provide light. Illuminator 354 mayremain active for specific periods of time or in response to events. Forexample, when illuminator 354 is active, it may backlight the buttons onkeypad 352 and stay on while the mobile device is powered. Also,illuminator 354 may backlight these buttons in various patterns whenparticular actions are performed, such as dialing another mobile device.Illuminator 354 may also cause light sources positioned within atransparent or translucent case of the mobile device to illuminate inresponse to actions.

Mobile device 300 also comprises input/output interface 338 forcommunicating with external peripheral devices or other computingdevices such as other mobile devices and network devices. The peripheraldevices may include an audio headset, display screen glasses, remotespeaker system, remote speaker and microphone system, and the like.Input/output interface 338 can utilize one or more technologies, such asUniversal Serial Bus (USB), Infrared, WiFi, WiMax, Bluetooth™, and thelike. Haptic interface 364 is arranged to provide tactile feedback to auser of the mobile device. For example, the haptic interface 364 may beemployed to vibrate mobile device 300 in a particular way when anotheruser of a computing device is calling. Temperature interface 362 may beused to provide a temperature measurement input and/or a temperaturechanging output to a user of mobile device 300. Open air gestureinterface 360 may sense physical gestures of a user of mobile device300, for example, by using single or stereo video cameras, radar, agyroscopic sensor inside a device held or worn by the user, or the like.Camera 340 may be used to track physical eye movements of a user ofmobile device 300.

GPS transceiver 358 can determine the physical coordinates of mobiledevice 300 on the surface of the Earth, which typically outputs alocation as latitude and longitude values. GPS transceiver 358 can alsoemploy other geo-positioning mechanisms, including, but not limited to,triangulation, assisted GPS (AGPS), Enhanced Observed Time Difference(E-OTD), Cell Identifier (CI), Service Area Identifier (SAI), EnhancedTiming Advance (ETA), Base Station Subsystem (BSS), or the like, tofurther determine the physical location of mobile device 300 on thesurface of the Earth. It is understood that under different conditions,GPS transceiver 358 can determine a physical location for mobile device300. In at least one embodiment, however, mobile device 300 may, throughother components, provide other information that may be employed todetermine a physical location of the device, including for example, aMedia Access Control (MAC) address, IP address, and the like.

Human interface components can be peripheral devices that are physicallyseparate from mobile device 300, allowing for remote input and/or outputto mobile device 300. For example, information routed as described herethrough human interface components such as display 350 or keyboard 352can instead be routed through network interface 332 to appropriate humaninterface components located remotely. Examples of human interfaceperipheral components that may be remote include, but are not limitedto, audio devices, pointing devices, keypads, displays, cameras,projectors, and the like. These peripheral components may communicateover a Pico Network such as Bluetooth™ Zigbee™ and the like. Onenon-limiting example of a mobile device with such peripheral humaninterface components is a wearable computing device, which might includea remote pico projector along with one or more cameras that remotelycommunicate with a separately located mobile device to sense a user'sgestures toward portions of an image projected by the pico projectoronto a reflected surface such as a wall or the user's hand.

A mobile device may include a browser application that is configured toreceive and to send web pages, web-based messages, graphics, text,multimedia, and the like. The mobile device's browser application mayemploy virtually any programming language, including a wirelessapplication protocol messages (WAP), and the like. In at least oneembodiment, the browser application is enabled to employ Handheld DeviceMarkup Language (HDML), Wireless Markup Language (WML), WMLScript,JavaScript, Standard Generalized Markup Language (SGML), HyperTextMarkup Language (HTML), eXtensible Markup Language (XML), HTML5, and thelike.

Memory 304 may include Random Access Memory (RAM), Read-Only Memory(ROM), and/or other types of memory. Memory 304 illustrates an exampleof computer-readable storage media (devices) for storage of informationsuch as computer-readable instructions, data structures, program modulesor other data. Memory 304 stores a basic input/output system (BIOS) 308for controlling low-level operation of mobile device 300. The memoryalso stores an operating system 306 for controlling the operation ofmobile device 300. It will be appreciated that this component mayinclude a general-purpose operating system such as a version of UNIX, orLINUX™, or a specialized mobile computer communication operating systemsuch as Windows Mobile™, or the Symbian® operating system. The operatingsystem may include, or interface with a Java virtual machine module thatenables control of hardware components and/or operating systemoperations via Java application programs.

Memory 304 further includes one or more data storage 310, which can beutilized by mobile device 300 to store, among other things, applications320 and/or other data. For example, data storage 310 may also beemployed to store information that describes various capabilities ofmobile device 300. The information may then be provided to anotherdevice based on any of a variety of events, including being sent as partof a header during a communication, sent upon request, or the like. Datastorage 310 may also be employed to store social networking informationincluding address books, buddy lists, aliases, user profile information,or the like. Data storage 310 may further include program code, data,algorithms, and the like, for use by a processor, such as processor 302to execute and perform actions. In one embodiment, at least some of datastorage 310 might also be stored on another component of mobile device300, including, but not limited to, non-transitory processor-readableremovable storage device 336, processor-readable stationary storagedevice 334, or even external to the mobile device. Data storage 310 mayinclude, for example, data models 314.

Applications 320 may include computer executable instructions which,when executed by mobile device 300, transmit, receive, and/or otherwiseprocess instructions and data. Applications 320 may include, forexample, data modeling application 322. Other examples of applicationprograms include calendars, search programs, email client applications,IM applications, SMS applications, Voice Over Internet Protocol (VOIP)applications, contact managers, task managers, transcoders, databaseprograms, word processing programs, security applications, spreadsheetprograms, games, search programs, and so forth.

Illustrative Network Device

FIG. 4 shows one embodiment of network device 400 that may be includedin a system implementing the invention. Network device 400 may includemany more or less components than those shown in FIG. 4. However, thecomponents shown are sufficient to disclose an illustrative embodimentfor practicing the present invention. Network device 400 may represent,for example, one embodiment of at least one of data modeling server 112,indexing server 114, or 120 of FIG. 1.

As shown in the figure, network device 400 includes a processor 402 incommunication with a memory 404 via a bus 428. Network device 400 alsoincludes a power supply 430, network interface 432, audio interface 456,display 450, keyboard 452, input/output interface 438,processor-readable stationary storage device 434, and processor-readableremovable storage device 436. Power supply 430 provides power to networkdevice 400.

Network interface 432 includes circuitry for coupling network device 400to one or more networks, and is constructed for use with one or morecommunication protocols and technologies including, but not limited to,protocols and technologies that implement any portion of the OpenSystems Interconnection model (OSI model), global system for mobilecommunication (GSM), code division multiple access (CDMA), time divisionmultiple access (TDMA), user datagram protocol (UDP), transmissioncontrol protocol/Internet protocol (TCP/IP), Short Message Service(SMS), Multimedia Messaging Service (MMS), general packet radio service(GPRS), WAP, ultra wide band (UWB), IEEE 802.16 WorldwideInteroperability for Microwave Access (WiMax), Session InitiationProtocol/Real-time Transport Protocol (SIP/RTP), or any of a variety ofother wired and wireless communication protocols. Network interface 432is sometimes known as a transceiver, transceiving device, or networkinterface card (NIC). Network device 400 may optionally communicate witha base station (not shown), or directly with another computing device.

Audio interface 456 is arranged to produce and receive audio signalssuch as the sound of a human voice. For example, audio interface 456 maybe coupled to a speaker and microphone (not shown) to enabletelecommunication with others and/or generate an audio acknowledgementfor some action. A microphone in audio interface 456 can also be usedfor input to or control of network device 400, for example, using voicerecognition.

Display 450 may be a liquid crystal display (LCD), gas plasma,electronic ink, light emitting diode (LED), Organic LED (OLED) or anyother type of light reflective or light transmissive display that can beused with a computing device. Display 450 may be a handheld projector orpico projector capable of projecting an image on a wall or other object.

Network device 400 also may also comprise input/output interface 438 forcommunicating with external devices not shown in FIG. 4. Input/outputinterface 438 can utilize one or more wired or wireless communicationtechnologies, such as USB™ Firewire™, WiFi, WiMax, Thunderbolt™,Infrared, Bluetooth™, Zigbee™, serial port, parallel port, and the like.

Human interface components can be physically separate from networkdevice 400, allowing for remote input and/or output to network device400. For example, information routed as described here through humaninterface components such as display 450 or keyboard 452 can instead berouted through the network interface 432 to appropriate human interfacecomponents located elsewhere on the network. Human interface componentsinclude any component that allows the computer to take input from, orsend output to, a human user of a computer.

Memory 404 may include Random Access Memory (RAM), Read-Only Memory(ROM), and/or other types of memory. Memory 404 illustrates an exampleof computer-readable storage media (devices) for storage of informationsuch as computer-readable instructions, data structures, program modulesor other data. Memory 404 stores a basic input/output system (BIOS) 408for controlling low-level operation of network device 400. The memoryalso stores an operating system 406 for controlling the operation ofnetwork device 400. It will be appreciated that this component mayinclude a general-purpose operating system such as a version of UNIX, orLINUX™, or a specialized operating system such as MicrosoftCorporation's Windows® operating system, or the Apple Corporation's IOs®operating system. The operating system may include, or interface with aJava virtual machine module that enables control of hardware componentsand/or operating system operations via Java application programs.

Memory 404 further includes one or more data storage 410, which can beutilized by network device 400 to store, among other things,applications 420 and/or other data. For example, data storage 410 mayalso be employed to store information that describes variouscapabilities of network device 400. The information may then be providedto another device based on any of a variety of events, including beingsent as part of a header during a communication, sent upon request, orthe like. Data storage 410 may also be employed to store socialnetworking information including address books, buddy lists, aliases,user profile information, or the like. Data stores 410 may furtherinclude program code, data, algorithms, and the like, for use by aprocessor, such as processor 402 to execute and perform actions. In oneembodiment, at least some of data store 410 might also be stored onanother component of network device 400, including, but not limited to,non-transitory media inside processor-readable removable storage device436, processor-readable stationary storage device 434, or any othercomputer-readable storage device within network device 400, or evenexternal to network device 400. Data storage 410 may include, forexample, indexes 412, data models 414, and configurations 416.

Applications 420 may include computer executable instructions which,when executed by network device 400, transmit, receive, and/or otherwiseprocess messages (e.g., SMS, Multimedia Messaging Service (MMS), InstantMessage (IM), email, and/or other messages), audio, video, and enabletelecommunication with another user of another mobile device. Otherexamples of application programs include calendars, search programs,email client applications, IM applications, SMS applications, Voice OverInternet Protocol (VOIP) applications, contact managers, task managers,transcoders, database programs, word processing programs, securityapplications, spreadsheet programs, games, search programs, and soforth. Applications 420 may include, for example, data modelingapplication 422, and indexing application 424.

Illustrative Data Modeling Architecture

FIGS. 5-8 represents embodiments of a data modeling architecture for atleast one of the various embodiments. FIG. 5 illustrates for at leastone of the various embodiments, a logical structure for data modelobjects that may comprise a data model. In at least one of the variousembodiments, a data model may be generated by a user. In at least one ofthe various embodiments, users that generate data models understand thestructure of the data as it is stored in the data repository.

In at least one of the various embodiments, if generating a data model,the user may employ data modeling application 422 to systematicallyencapsulate his or her knowledge of the data enabling data modelingapplication 422 to provide the data model to other users. In at leastone of the various embodiments, these other users may employ thegenerated data model(s) to generate reports.

In at least one of the various embodiments, a data model may be composedof one or more of data model objects. In at least one of the variousembodiments, data model objects may have a hierarchy analogous to anobject-oriented programming class hierarchy, and may inherit either froma root object provided by the data modeling application, or another datamodel object present in the current data model.

In at least one of the various embodiments, a data model may be definedand/or stored as a JavaScript Object Notation (JSON) file. In othercases, in at least one of the various embodiments, data models may beimplemented using, XML, Python, C++, Perl, Java, C, or the like.

In at least one of the various embodiments, a data model objectcorresponds to some type/portion of data in stored in a data repository.In at least one of the various embodiments, data model objects maycorrespond to events. In at least one of the various embodiments, theymay correspond to a transaction or an abstract concept such as “user”.In at least one of the various embodiments, data model objects may havea set of fields. Some fields of a data model object may be requiredwhile other fields may be optional.

In at least one of the various embodiments, fields may include typessuch as numerical, string, Boolean, and timestamp, as specified in thedata model. In at least one of the various embodiments, a data modelobject's fields may correspond directly to fields extracted from data inthe data repository or they may be calculated by the data modelingapplication using formulas, regular expressions, or other built-incommands.

In at least one of the various embodiments, data model object 502 may bearranged to support and/or require certain attributes and/or properties.In at least one of the various embodiments, attribute ObjectName 504 mayinclude the name of the data model object. In at least one of thevarious embodiments, if the data model is implemented using an objectoriented programming language, ObjectName 504 may be a class type orclass name supported by the underlying language.

In at least one of the various embodiments, attribute parentName 506 mayinclude an identifier indicating the identity of a parent data modelobject data model object 502. In at least one of the variousembodiments, parentName 506 may be employed by the data modelingapplication to determine if a data model object is a child object ofanother data model object.

In at least one of the various embodiments, if a value is included forparentName 506, the data modeling application may determine that thedata model object derives from the parent data model object. In at leastone of the various embodiments, a child data model object may inheritcharacteristics, such as, fields, constraints, filters, or the like,from their corresponding parent data model objects.

In at least one of the various embodiments, if parentName 506 is notexplicitly set, the data modeling application may default to theparentName to an appropriate value that may correspond to a built-inroot/base class (e.g., Event, or Transaction).

In at least one of the various embodiments, fields 508 may be acollection of name-value pairs that may be employed to representproperties of the data model object. In at least one of the variousembodiments, fields may have various properties, features, or meta-datathat may be employed by the data modeling application to determine thecharacteristics of a particular field. (See FIG. 6 and its accompanyingdescription.)

In at least one of the various embodiments, fields may be determinedand/or associated with the data model object based on defaulting rules.Such rules may be included in one or more configuration files and/orconfiguration stores. Also, in at least one of the various embodiments,fields may be determined by users through a user-interface.

In at least one of the various embodiments, data model objects mayinclude additional properties and/or behaviors such as Calculations 510,Constraints 512, or the like. In at least one of the variousembodiments, calculations 510 may be employed to generate field valuesbased on the operation of formulas, functions, custom scripts, or thelike. In at least one of the various embodiments, constraints may beemployed to exclude data from matching a data model object. In at leastone of the various embodiments, constraints may include regularexpressions that may be employed to determine if data from a datarepository matches and/or maps to a data model object. For example, inat least one of the various embodiments, if a data repository includesweb server log events, a regular expression style constraint ofuri=“*.css” may constrain a data model object to map to web server logevents that correspond to HTTP requests for CSS style sheets (e.g, basedon the style sheet having an file extension of “.css”).

Also, in at least one of the various embodiments, constraints mayinclude logical and/or arithmetic expressions, such as, “bytes>2000” or“code=404”, or the like. Further, in at least one of the variousembodiments, the rules or formulas included in calculations and/orconstraints may reference one or more fields or calculations orconstraints.

As an example, in at least one of the various embodiments, data modelobject 514 may be configured to represent a HTTP request event.HTTP_REQUEST 516 may be the data model object name. Further, in at leastone of the various embodiments, http requests may be derived from anevent data model object. Thus, in at least one of the variousembodiments, EVENT 518 may be the parent name.

In at least one of the various embodiments, fields 520 may include namevalue pairs that may be relevant to HTTP requests. Further, in at leastone of the various embodiments, HTTP_REQUEST data model objects may bedefined with constraint 522 such that eligible values for the statusfields are less than 600.

In at least one of the various embodiments, data models may be arrangedto represent (e.g., model) unstructured data from various sources. Suchsources may include, web server logs, networking system logs, financialtransaction events, or the like.

In at least one of the various embodiments, log record 524 may be a HTTPrequest log record that data model object 514 may be arranged to model.Data included in the log record may be mapped into fields 520 of datamodel object 514. In at least one of the various embodiments, theparticular fields may be identified, collected, and extracted, using avariety of techniques.

Also, data models may be arranged to model data provided in a variety offormats and/or stored in a variety of data repositories including, SQLdatabases, flat files, fixed record length files, comma separated files(CSV), extensible markup language (XML), or the like.

FIG. 6 illustrates for at least one of the various embodiments, thelogical data structure of field 602 that may be part of a data modelobject, such as, fields 520 in FIG. 5. In at least one of the variousembodiments, fields may have a variety of properties that maycharacterize and/or define the data that the field may be designed tomodel.

In at least one of the various embodiments, a field may include owner604, fieldname 606, required flag 608, multi-value flag 610, type 612,constraints 614, or the like. In at least one of the variousembodiments, the data modeling application may employ at least a portionof the attributes and/or meta-data associated with a field ifdetermining the mapping between the source data and the data modelobject.

In at least one of the various embodiments, owner 604 may indicateparticular the data model object that may own the field. In at least oneof the various embodiments, fieldname 606 may define the name of thefield. In at least one of the various embodiments, flags such asrequired 608 and multi-value 610 may be Boolean style fields that may betrue or false. In at least one of the various embodiments, the values ofthe Boolean attributes may indicate if particular characteristics may beassociated with a particular field. For example, in at least one of thevarious embodiments, required attribute 608 may be interpreted by thedata modeling application to indicate that the corresponding field isrequired to be filled/populated with data. Likewise, in at least one ofthe various embodiments, field attribute 610 may be interpreted by thedata modeling application to indicate if the field may include multiplevalues.

In at least one of the various embodiments, type attribute 612 may beinterpreted by the data modeling application to classify the field databased on the type of data expected. For example, in at least one of thevarious embodiments, common data types may include, integer, string,numeric, date-time, timestamp, Boolean, or the like.

Also, in at least one of the various embodiments, fields may beassociated with constraints that may be applied by the data modelingapplication as part of determining eligible values for the field. Forexample, in at least one of the various embodiments, constraints 614 maybe employed by the data modeling application to determine thateligible/valid data for field 602 requires a length that is greater thanfour.

FIG. 7 illustrates for at least one of the various embodiments, alogical representation of a data model that may be generated and/oremployed by the data modeling application. In at least one of thevarious embodiments, the data modeling application may employ generalobject oriented concepts based on, and/or similar to object-orientedprogramming languages and/or platforms, such as, C++, Java, Objective-C,C#, or the like.

Further, data model 700 in FIG. 7 may be a non-limiting exampleembodiment of a data model that may be generated using at least one ofthe various embodiments. One of ordinary skill in the art willappreciate that a variety of data models may be generated using at leastone the various embodiments for a variety of different applicationcontexts. The particular model discussed in FIG. 7 is presented in theinterest of brevity and to provide additional clarity in the descriptionof at least one of the various embodiments. Accordingly, it should beobvious to one of ordinary skill in the art that the subject matterdisclosed and/or claimed herein enable the generation of data modelsother than the one depicted in FIG. 7.

In at least one of the various embodiments, the data model in FIG. 7 mayrepresent a portion of a data model directed towards modeling eventsthat may be related to HTTP servers and client interaction with HTTPservers.

In at least one of the various embodiments, model object EVENT 702 maybe the root of the data model. In at least one of the variousembodiments, it may be a base data model object that provides coreproperties and behaviors that may be expected to be common to manyevents the data model may be expected model.

In at least one of the various embodiments, data model object HTTPREQUEST 704 may be derived from EVENT 702. In at least one of thevarious embodiments, data model object 704 may be specialization ofEVENT 702 that may include properties and fields that may be expected tobe associated with a HTTP request events. In at least one of the variousembodiments, such properties may include a uniform resource identifier(URI) field, a referrer field, or the like. (See, FIG. 5.)

Further, in at least one of the various embodiments, data model objectHTTP SUCCESS 706 may be derived from HTTP REQUEST 704. In at least oneof the various embodiments, HTTP SUCCESS 706 may be a data model objectspecialized to represent a HTTP request that had a successful outcome.In at least one of the various embodiments, such specialization mayinclude a constraint that requires the status of the request to be 200,201, 202, 203, 204, or the like (e.g., success status codes that startwith 2).

In at least one of the various embodiments, PAGE VIEW 708 may be afurther specialization derived from HTTP SUCCESS 706 that modelssuccessful HTTP requests that may represent a client viewing a web page.Also, in at least one of the various embodiments, FAQ VIEW 720 may be afurther specialization of PAGE VIEW 708. In one embodiment FAQ VIEW 720may include one or more constraints that limit the data model object torepresenting successful HTTP views of a frequently asked question page(FAQ).

In at least one of the various embodiments, data model objects in a datamodel may have different and/or separate root model objects. In at leastone of the various embodiments, EVENT SET 710 may be a root data modelobject that may be arranged to model one or more events group based oncriteria defined by the event set object. In at least one of the variousembodiments, event set objects may be employed to detect and/or performoperations on groups of events. For example, event set objects may beemployed to run a clustering algorithm on the data in the datarepository for determining groups of similar events.

In at least one of the various embodiments, TRANSACTION OBJECT 712 maybe a specialization of an event set object that may be defined to modelevents that occur within a determined time period, in a particularorder, having particular field values, or the like.

In at least one of the various embodiments, data model object VISIT 714may be a specialized transaction that may be arranged to model one ormore particular sequence of events that represent a user visiting aportion of a website. Likewise, data model object CLIENT 720 may bedefined to represent a sequence of events that represent a clientvisiting a website.

In at least one of the various embodiments, users may employ the datamodeling application to generate searches and/or reports based on a datamodel. In at least one of the various embodiments, search object 716 maybe defined by selecting one or more data model objects 718. In at leastone of the various embodiments, a search object may be defined to applyparticular fields of one or more data model objects to implement asearch that corresponds to the a desired report. Also, in at least oneof the various embodiments, a search object may be defined to includeits own fields that may be employed to produce, format, and/or displayportions of the data model objects that may be included the report.

In at least one of the various embodiments, search objects may includeone or more fields from one or more data model objects. Also, in atleast one of the various embodiments, search objects may includeaggregate fields that enable the computation and display of aggregateresults such as, sums, maximum, root-mean square, or the like, to bedetermined as part of a report.

FIG. 8 illustrates a logical overview of data modeling application 800for at least one of the various embodiments for generating reports usinga data model. In at least one of the various embodiments, a user mayinitiate the generation of a report at a user-interface on networkdevice 802.

In at least one of the various embodiments, the user may select and/orgenerate search objects 804. In at least one of the various embodiments,search objects 804 may comprise search elements selected from one ormore data models. In at least one of the various embodiments, searchobjects may be retrieved from a set of previously generated searchobjects or it may be generated at the time the user generates thereport.

In at least one of the various embodiments, search objects may begenerated based on data model objects selected from a data model. In atleast one of the various embodiments, the data model object constraints,fields, or constraints used to define a data model object may besufficient for searching to generating the expected report results. Inat least one of the various embodiments, search objects may be processedby the data modeling application to generate query strings that may beexecuted against one or more data repositories.

For example, in at least one of the various embodiments, data modelobject FAQ VIEW 720 may include a constraint that requires a uniformresource identifier (URI) field to match a particular page (e.g.,www.splunk.com/faq.html) to produce report results that include eventsrepresenting page views of a FAQ page (e.g., matching the URI pattern ofinterest).

In at least one of the various embodiments, the selected/generatedsearch objects may be received by query generator 806. In at least oneof the various embodiments, query generator 806 may employ the searchobjects, and/or the data model to generate a query string and/or searchstring that may correspond to the requested report. In at least one ofthe various embodiments, the query string and/or search string may begenerated based on the data model objects that may contribute data tothe report.

In at least one of the various embodiments, data repository 808 mayreceive the query string generated by query generator 806. In at leastone of the various embodiments, the query string may be executed againstdata stored in the data repository to produce a corresponding resultset. In at least one of the various embodiments, the result set may bepresented in a format native to the operative data repository.

In at least one of the various embodiments, instance generator 810 mayreceive the result set from the data repository and produce instances ofdata model objects corresponding to the result set. In at least one ofthe various embodiments, instance generator 810 may generate reportresults 812 that may include a collection of instantiated data modelobjects.

From report results 812, in at least one of the various embodiments, areport may be generated. In at least one of the various embodiments,report 814 may be formatted for a user to read on web page or other userinterface. Also, in at least one of the various embodiments, reports maybe formatted for printing, exporting to other applications, exporting toother network devices, archiving, or the like.

In at least one of the various embodiments, reports, report views,and/or report formatting may be based on the data model, search objects,or report templates associated with the generated report results. Forexample, in at least one of the various embodiments, data model objectscomprising the report results may include several fields, such as, URI,Timestamp, Referrer, CookieName, or the like. A report view, in at leastone of the various embodiments, may be configured to selectively list aportion of the available fields, such as, just the URI and Timestamp. Inat least one of the various embodiments, a user may design reportsand/or report templates in terms of the data models and/or searchobjects (e.g., for pivot reports). In at least one of the variousembodiments, the one or more report models may be employed to generatethe reports.

Generalized Operation

FIGS. 9-16 represent the generalized operation of at least one of thevarious embodiments. FIG. 9 shows an overview flow chart for at leastone of the various embodiments for process 900 for data modeling formachine data for semantic searching. After a start block, at block 902,in at least one of the various embodiments, determine a data model thatmay be used to model data stored in a data repository.

In at least one of the various embodiments, data models may be selectedfrom a set of one or more previously generated data models or a new datamodel may be generated. In at least one of the various embodiments,different users may determine and/or generate separate data models whereeach data model may represent a different view and/or perspective of thedata stored in the data repository.

In at least one of the various embodiments, data models may be generatedto represent (e.g., model) unstructured data that may be stored in adata repository. In at least one of the various embodiments,unstructured data may include data generated and/or received by searchengines, including a time series engine. Also, in at least one of thevarious embodiments, unstructured data may be received and/or storedabsent pre-defined data schemas or formats.

In at least one of the various embodiments, the data model may bedetermined such that it at least provides semantic meaning tounstructured data stored in data repository. In at least one of thevarious embodiments, data models may be generated to provide at leastsemantic meaning to unstructured data without the creating a staticdatabase schema. Further, in at least one of the various embodiments,one or more data models may be generated such that the unstructured datamay remain unmodified. Thus, data models, in at least one of the variousembodiments, may provide semantic meaning to unstructured data withoutmodifying the unstructured data (e.g., causing little or noside-effect).

In at least one of the various embodiments, data models also may begenerated to provide at least semantic meaning to structured data thatmay be stored in SQL databases, XML files, or the like.

At block 904, in at least one of the various embodiments, determine oneor more search objects based on the determined data model and/or aselected report template. In at least one of the various embodiments,search objects may be data model objects selected from the data model.Also, in at least one of the various embodiments, search objects may begenerated based on one or more report templates that may includeportions of one or more data model objects from one or more the datamodels. In at least one of the various embodiments, search objects mayinclude calculations and filters that may be applied to generateresults, views, reports, or the like.

At block 906, in at least one of the various embodiments, the datamodeling application may generate a query string based on one or moredetermined search object(s) and/or one or more determined data models.In at least one of the various embodiments, the query string may beformatted to be compatible with at least one targeted data repository.

In at least one of the various embodiments, the data modelingapplication may traverse at least a portion of the data model togenerate at least a portion of a query string for searching data in atleast one data repository, wherein the portion of the data model isdetermined based on the at least one search object.

At block 908, in at least one of the various embodiments, the generatedquery string may be executed at or on a data repository to produce aresult set that may correspond to the query string.

At block 910, in at least one of the various embodiments, the datamodeling application may receive the query result set from the datarepository. In at least one of the various embodiments, the datamodeling application may map the values and/or records included in aresult set to the appropriate data model objects. In at least one of thevarious embodiments, one or more instances of data model objects may beinstantiated that correspond to data included in the result set.

In at least one of the various embodiments, the mapping process maydetermine the data model objects that correspond to the result set data,based on the filters, constraints, or fields that may be determined tomatch the data in the result set.

In at least one of the various embodiments, the data modelingapplication may map data from at least one portion of the result set toat least one data model object included in the data model, wherein theat least one portion of the result set is based on a configuration ofthe data model. For example, in at least one of the various embodiments,data models and/or data model objects may be configured to includefilters, constraints, fields, or the like, which may be employed toidentify and/or extract one or more portions of the result set formapping to the data model and/or data model objects.

At block 912, in at least one of the various embodiments, generate areport based on the mapped data model objects and/or result set. In atleast one of the various embodiments, reports may be formatted usingwell-known techniques based on at least the expected target audience. Inat least one of the various embodiments, reports may be formatted forviewing and/or manipulation by users (e.g., presented in web pages). Inat least one of the various embodiments, the data modeling applicationmay generate at least one report for the at least one data model objectthat corresponds to the data mapped from the at least one portion of theresult set. Also, in at least one of the various embodiments, reportsmay be formatted for importing into other applications, other machines,network devices, or the like.

FIG. 10 shows an overview of process 1000 for generating a data modelobject in accordance with at least one of the various embodiments. Aftera start block, at block 1002, in at least one of the variousembodiments, determine data model object name. In at least one of thevarious embodiments, data model objects that may be included in a datamodel may be named such that they may be uniquely identified. Also, inat least one of the various embodiments, data model objects may beassigned user permission/access attributes that may influence how agiven user may interact with the data model object. For example, in atleast one of the various embodiments, some users may have permission tomodify the internal properties of a data mode object, while other usersmay be restricted to read-only access to the data model object'sproperties.

At block 1004, in at least one of the various embodiments, the datamodeling application may determine a parent data model object for thegenerated data model object. In at least one of the various embodiments,each data model object may have a corresponding parent data modelobject. In at least one of the various embodiments, determining a parentdata model object may depend on the purpose, owner, or the like, of thedata model object.

In at least one of the various embodiments, additional data modelobjects in the data model may be derived from the parent data modelobject. In at least one of the various embodiments, well-knownobject-oriented programming characteristics, such as, inheritance,polymorphism, or the like, may be supported by data model objects.

In at least one of the various embodiments, the parent data modelobjects may provide fields, constraints, filters, or the like, to childdata model objects that may be in the data model. In at least one of thevarious embodiments, the parent data model object may also provideinterfaces that may influence how child data model objects may bedefined.

Also, in at least one of the various embodiments, new data model objectsmay be generated separate from a parent data model objects. In at leastone of the various embodiments, such data model objects mayautomatically receive a parent data model object provided by the datamodeling application.

At block 1006, in at least one of the various embodiments, fields forthe data model object may be determined. In at least one of the variousembodiments, zero or more fields may be generated and associated withthe data model object.

In at least one of the various embodiments, a portion of the fields thatcomprise the parent data model object may be considered to be part ofthe generated data model object based on object oriented inheritance. Inat least one of the various embodiments, fields derived from a parentdata model object may be fixed, un-editable, and/or non-removable.

At block 1008, in at least one of the various embodiments, additionaldata model object attributes and properties may be determined. In atleast one of the various embodiments, these may include filters,functions (e.g., evaluations, calculations, aggregations, or the like),constraints, or the like.

At decision block 1010, in at least one of the various embodiments, ifmore data model objects remain to be generated, control may loop toblock 1002. Otherwise, in at least one of the various embodiments,control may be returned to a calling process.

In at least one of the various embodiments, data model objects may beadded to data models subsequent to the initial generation of the datamodel. Likewise, data model objects may be removed from a data modelsubsequent to the initial generation of the data model.

In at least one of the various embodiments, if a parent data modelobject is removed from a data model, its child data model objects may beupdated and associated with other data model objects, or they may beremoved from the data model as well. In at least one of the variousembodiments, the portions of the data model objects that depend on theremoved parent data model object may be modified such the data modelremains consistent. For example, if a parent data model object isremoved that corresponding child data model object may be removed aswell. Thus, in at least one of the various embodiments, a user may beasked for input as to how to proceed. In some cases, the child datamodel objects may remain part of the data model after having their datamodel parent objects adjusted appropriately. In at least one of thevarious embodiments, a user may be notified that removing the parentdata model object may affect other data model objects. In such cases, inat least one of the various embodiments, a user interface may beprovided that enables the user to direct the data modeling applicationto take the appropriate action.

FIG. 11 shows an overview flowchart of process 1100 for generatingfields that may comprise a data model object in accordance with at leastone of the various embodiments. After at start block, at block 1102, inat least one of the various embodiments, a field name may be determinedfor the new field.

At block 1104, in at least one of the various embodiments, a field typemay be determined for the new field.

At block 1106, in at least one of the various embodiments, Booleanattributes may be determined for the new field. Also, in at least one ofthe various embodiments, “flag” type attributes may be determined forthe new field. Boolean and/or flag attributes may be used to defineproperties, such as, read-only, required, multi-valued, or the like.

At block 1108, in at least one of the various embodiments, additionalconstraints and/or fields may be determined and associated with the newfield.

FIG. 12 shows an overview flowchart for process 1200 for generating anevent set data model object that may be associated with a data model.After a start block, at block 1202, in at least one of the variousembodiments, a name may be determined for the event set object andassociated with the event set object. Also, in at least one of thevarious embodiments, the generated event set data model object may beassociated with a data model using well-known programming techniques,such as, references, lookup-tables, pointers, or the like.

At block 1204, in at least one of the various embodiments, optionallythe effective time period for the event set object may be determined. Inat least one of the various embodiments, time periods may be included inevent set objects to collect and/or group events that occur within thedetermined time periods.

At block 1206, in at least one of the various embodiments, filters,constraints, rules, or the like may be determined to define the eventsand/or data that may correspond to the event set object.

At decision block 1208, in at least one of the various embodiments, ifthe event set object is intended to match an event sequence, control maymove to block 1210. Otherwise, in at least one of the variousembodiments, control may be returned to a calling process.

In at least one of the various embodiments, an event set object may bearranged to model a transaction that identifies a set of events thatoccur in a set period of time. Thus, in at least one of the variousembodiments, the one or more events that contribute to the transactionmay be defined and associated with the event set object. For example, inat least one of the various embodiments, if the event set object isintended to model a user visiting a web site, the event set object maybe generated to match page view events generated by the same user thatmay occur within 10 minutes of each other.

At block 1210, in at least one of the various embodiments, the eventsequencing/ordering matching rules may be established the event setobject. In at least one of the various embodiments, an event set objectmay be arranged to represent a set events that arrive in a particularorder within a particular time period by defining constraints thatcorrespond to the order the events are received. For example, in atleast one of the various embodiments, a constraint such as,“purchaseConstraint=login.html, store.html, *, checkout.html,confirm.html” may define a event set object that models the behavior auser logging into to system before completing a purchase.

Next, control may be returned to a calling process.

FIG. 13 illustrates a flowchart showing an overview of process 1300 forgenerating a data model from query results. After a start block, atblock 1302, in at least one of the various embodiments, generate a querystring and execute it on a data repository. In at least one of thevarious embodiments, executing the query string may produce a result setthat corresponds to the query string.

At block 1304, in at least one of the various embodiments, determinecandidate data model object fields based on the result set thatcorresponds to the query string. In at least one of the variousembodiments, result sets may include records that have similar elements.In at least one of the various embodiments, the elements may beexplicitly available in the result set, such as for SQL database resultsthat return results organized into named columns. In at least one of thevarious embodiments, result sets may be generated from unstructured datawhere candidate field names and values may be identified and extractedfrom the unstructured data record.

In at least one of the various embodiments, the candidate fields may bedisplayed in a user-interface list enabling a user to interactivelyselect them. Or, in at least one of the various embodiments, thecandidate fields may be provided to the user in list.

At block 1306, in at least one of the various embodiments, the resultset records may be analyzed to determine the fields the records may havein common. In at least one of the various embodiments, records havingfields in common may be useful for determining potential parent-childdata model objects.

For example, in at least one of the various embodiments, result recordsrelated to HTTP events may each include a source IP address and a HTTPmethod (GET, HEAD, PUT, POST, or DELETE). Thus, in at least one of thevarious embodiments, a data modeling application may determine that eachresult record that includes a source IP address and HTTP method may be acandidate for a HTTP Request data model object. Further, in thisexample, if some records include a source IP address, a HTTP method anda 200 series HTTP response code (indicating success), those records withmay be determined to be specializations of the HTTP Request, in thiscase, a HTTP Success event.

At block 1308, in at least one of the various embodiments, at least onecandidate data model may be generated based on the candidate data modelobjects and the candidate fields and the relationships/commonalities ofthe fields in the result set records. The candidate data model and/orcandidate data model objects may be presented in a user-interfaceenabling the user to select and/or modify them.

At block 1310, in at least one of the various embodiments, the candidatedata model and/or the candidate data model objects may be iterativelymodified until they may be accepted as sufficiently modeling the sourcedata.

FIG. 14 illustrates an overview flowchart of process 1400 that maygenerate query strings that correspond to a data model. After a startblock, at block 1402, in at least one of the various embodiments, searchobject(s) for a data model based report may be received. In at least oneof the various embodiments, search objects may be one or more data modelobjects. Also, in at least one of the various embodiments, searchobjects may be specialized search objects that may reference one or moredata model objects, including pivot table objects.

At block 1404, in at least one of the various embodiments, the root datamodel object and at least one target data model object may be determinedbased on the received search objects. In at least one of the variousembodiments, the data modeling application may analyze the searchobjects to determine the root and/or top data model objects that may berelevant for the report. Also, in at least one of the variousembodiments, the search object may be processed by the data modelingapplication to determine a target data model object. For example, in atleast one of the various embodiments, if a search object represents asingle data model object, such as, PAGE VIEW 708, then PAGE VIEW 708would be the target data model object.

In at least one of the various embodiments, the data modelingapplication may traverse the data model in reverse (upwards) from thetarget data model object to identify the root data model object for thereport. For example, in at least one of the various embodiments,referring to data model 700, if the target data model object is HTTPSUCCESS 706, the root data model object would be EVENT 702.

At block 1406, in at least one of the various embodiments, the datamodeling application may traverse the data model object path between thedetermined root data model object and a determined target data modeobject. In at least one of the various embodiments, the data modelingapplication may traverse the data model starting at the root data modelobject. In at least one of the various embodiments, during the traverse,the data modeling application may visit each data model object on thepath between the root object and the target data model object.

In at least one of the various embodiments, the data modelingapplication may employ well-known methods to traverse data model. Oneordinary skill in the art will appreciate that the data model may belogically represented as a hierarchical tree data structure and that adata model may be implemented using a variety of well-known programmingmethods that may include indexes, lookup tables, linked-lists, arrays,hash tables, map tables, graphs, trees, or the like. Likewise, variouswell-known traversal strategies may be employed to determine the datamodel objects to visit and the order for visiting them.

At block 1408, in at least one of the various embodiments, a querystring fragment may be generated based on the current data model object.In at least one of the various embodiments, the data modelingapplication may visit each data model object in the path between theroot data model object and the target data model object.

In at least one of the various embodiments, each visited data modelobject may be analyzed by the data modeling application. In at least oneof the various embodiments, query string fragments that correspond toeach visited data model object may be generated based on the fields,attributes, properties, or constraints that comprise the visited datamodel objects.

At decision block 1410, in at least one of the various embodiments, ifthe target data model object may have been reached by the data modelingapplication during the traversal of the data model, control may move toblock 1412. Otherwise, in at least one of the various embodiments,control may loop back block 1406 to continue traversing the path betweenthe root data model object and the target data model object.

At block 1412, in at least one of the various embodiments, the generatedquery string may be associated with the search object, report model,and/or the target data model object. Next, control may be returned to acalling process.

In at least one of the various embodiments, a data modeling applicationmay generate query strings that use a language and syntax that maycorrespond to one or more query languages and/or query protocolssupported by the target data repository. For example, in at least one ofthe various embodiments, if a target data repository is a relationaldatabase management system that supports SQL, the data modelingapplication may generate a query string in the form of SQL query (e.g.,SELECT fname1, fname2 FROM table1 WHERE constraint1=xxx).

Also, in at least one of the various embodiments, if the data repositoryis search engine, the data modeling application may generate a querystring that is in the form of a search engine query suitable for thetarget search engine, such as, “/search?constraint1=xx&constraint2=yy.”

In at least one of the various embodiments, data repositories that haverich query languages may generate result sets that closely model thedata model. On the other hand, in at least one of the variousembodiments, data repositories that may have primitive query languagesmay produce result sets that may require additional processing by thedata modeling application to enable a mapping of the result set to adata model.

FIG. 15 shows a flow chart for process 1500 for generating a pivotreport model in accordance with at least one of the various embodiments.After a start block, at block 1502, in at least one of the variousembodiments, determine a data model that may be used to build the pivotreport template.

At block 1504, in at least one of the various embodiments, select fieldsfrom data model object(s) to add to the pivot report template. In atleast one of the various embodiments, fields may be selected as rowfields or column fields for the pivot report.

In at least one of the various embodiments, selecting a field to be rowfield may cause the data modeling application to generate one row foreach unique value of the field that may be in the result set. Forexample, in at least one of the various embodiments, if a URI field froma HTTP SUCCESS object is selected to be a row field, one row for eachunique URI found in the result set may be expected to be in the pivotreport.

In at least one of the various embodiments, column fields may beselected to define the columns of the pivot report. In at least one ofthe various embodiments, these may be the fields selected to beanalyzed/reported on for each row in the pivot report. In at least oneof the various embodiments, the actual value that is displayed in therow-column cell of the report may depend on additional calculationinformation that may be associated with the cell.

In at least one of the various embodiments, determine at least one fieldfrom at least one data model object for display that is subsequentlyassociated with at least one row in at least one pivot report model. Inat least one of the various embodiments, determine at least one fieldfrom at least one data model object for display that is subsequentlyassociated with at least one column in the at least one pivot repotmodel, wherein the at least one column corresponds to the at least onefield.

At block 1506, in at least one of the various embodiments, determinecalculation for pivot report cells. In at least one of the variousembodiments, pivot reports may include one or more cells that displaythe results of aggregate calculations, such as, sum, average, count,standard deviation, root-mean-square, or the like.

In at least one of the various embodiments, calculations may be selectedby users from a pre-filled list. In at least one of the variousembodiments, the calculation may default to a particular formula orfunction based on a configuration value. In at least one of the variousembodiments, system wide defaults may be assigned. Also, in at least oneof the various embodiments, default calculations may be configuredand/or associated to particular users, or to particular data models.

For example, in at least one of the various embodiments, if URI is a rowfield and BYTES is a column field, a cell may be defined to show the sumof the bytes for each unique URI in the result set.

In at least one of the various embodiments, associate at least oneoperation (e.g., calculation) for each determined field in a row of theat least one pivot report model, wherein an output of the operation foreach determined field in the row is displayed in at least onecorresponding column of the pivot report model.

At decision block 1508, in at least one of the various embodiments, ifthe pivot report is complete, control may move to block 1510. Otherwise,in at least one of the various embodiments, control may loop back toblock 1504.

In at least one of the various embodiments, users may generate pivotreport templates that have one field from a data model object and oneoperation (e.g. avg(webhits)). Also, in at least one of the variousembodiments, a user may generate one or more pivot report templatesbased on a single operation that may be applied to an entire data modelobject, For example, in at least one of the various embodiments, asingle count operation that may calculate the number of results thatmatch that data model object may be used to generate a pivot reporttemplate.

At block 1510, in at least one of the various embodiments, store thecompleted pivot report template in stable storage (e.g., hard-drive,file system, database, or the like). In at least one of the variousembodiments, the completed pivot report template may be stored for useat some future time or it may be immediately used to generate a pivotreport. Also, in at least one of the various embodiments, incompletepivot report models may be stored in an incomplete state. Incompletepivot report templates may be retrieved by users to continue generatingthe pivot report templates. Next, in at least one of the variousembodiments, control may be returned to a calling process.

FIG. 16 shows a flow chart for process 1600 for generating a pivotreport from a pivot report template and a data model in accordance withat least one of the various embodiments. After at start, at block 1602,in at least one of the various embodiments, generate one or more querystrings based on a determined pivot report template and a determineddata model.

At block 1604, in at least one of the various embodiments, execute theone or more generated query strings on a data repository to produce aquery result set that corresponds to the query string.

At block 1606, in at least one of the various embodiments, map the queryresult set to the row fields and column fields the pivot reporttemplate. In at least one of the various embodiments, the row fields mayinclude an entry for each unique value that may be included in theresult set. In at least one of the various embodiments, the value foreach row-column cell may be determined based on the calculation/functionthat may be associated with the row-column cell.

In at least one of the various embodiments, the values for the cell maybe returned directly as part of the result set. For example, in at leastone of the various embodiments, a query string fragment may include abuilt-in feature of the data repository to generate the cell value, suchas “count(*) as rowname-colname” In this example, “count(*)” may be abuilt in function provided by the data repository that computes ofnumber of the objects returned by query result set. The resulting valuemay be used directly to fill in the correct cell value for the pivotreport. On the other hand, in at least one of the various embodiments,if the data repository does not directly calculate and provide thenecessary cell values in the result set, the data modeling applicationmay perform the computations necessary to generate the cell values fromthe result set for display in the pivot report after receiving theresult set from the data repository.

At block 1608, in at least one of the various embodiments, generate apivot report from the pivot report template. Next, in at least one ofthe various embodiments, control may be returned to a calling process.In at least one of the various embodiments, the resulting pivot reportsmay have at least one row and at least one column.

Illustrative User-Interfaces

FIGS. 17-19 represent illustrative user-interfaces for at least one ofthe various embodiments. FIG. 17 illustrates screenshot from at leastone of the various embodiments of user-interface 1700 that may beemployed for at least viewing a data model. In at least one of thevarious embodiments, data model objects may be displayed in column 1702.In at least one of the various embodiments, column 1702 may be labeledto indicate the root data model objects in a data model. For example, inat least one of the various embodiments, column 1702 includes data modelobjects that may be derived from event data model objects andtransaction data model objects. Thus, in at least one of the variousembodiments, column 1702 may be labeled Events and Transactions.

Also, in at least one of the various embodiments, underneath column 1702a hierarchical representation of the current data model may bedisplayed. This display may enable users to quickly grasp therelationships between the various data model objects.

In at least one of the various embodiments, additional columns may beemployed to display information about the data model. For example, in atleast one of the various embodiments, column 1704 may display a datamodel object type value corresponding to the root data model object foreach listed data model object.

Also, in at least one of the various embodiments, one or more columnsmay be included that may provide access to relevant operations, such asrunning report based on the corresponding data model object. Forexample, in at least one of the various embodiments, column 1706includes a user-interface (quick report) that may enable users togenerate a report directly from the data model viewing user-interface.

One of ordinary skill in the art will appreciate that there may be manyvariations of user-interfaces for viewing data models and thatscreenshot 1700 is sufficient to disclose the various embodiments. Also,in at least one of the various embodiments, user-interfaces may includecommand-line interfaces that enable a user to list, review, or use datamodels by typing commands at a console.

FIG. 18 illustrates for at least one of the various embodiments ascreenshot of user-interface 1800 for at least editing, generating, orcreating data model objects in a data model. In at least one of thevarious embodiments, user-interface 1800 may be arranged into one ormore sections, such as object section 1802, constraint section 1804,property section 1806, or the like.

In at least one of the various embodiments, object section 1802 mayinclude a view of the currently selected data model. In at least one ofthe various embodiments, each data model objects included in the datamodel may be displayed and/or accessible to the user.

In at least one of the various embodiments, if a user selects a datamodel object from object section 1802 the data modeling application maygenerate a display of the details of that data model object. In thisexample, for at least one of the various embodiments, the selected datamodel object is page_view 1808. Thus, in this example, the valuesdisplayed and/or accessible in the other sections of user-interface 1800may correspond to data model object page_view 1808.

In at least one of the various embodiments, the data modelingapplication generates the constraint section 1804 to display theconstraints that may be associated with the selected data model object(e.g., page_view 1808). In at least one of the various embodiments,inherited constraints 1810 may be supplied by the parent data modelobjects of the selected data model object. For example, in at least oneof the various embodiments, page_view 1808 is a child of http_successand in turn http_success is a child of http_request. Thus, in at leastone of the various embodiments, inherited constraints 1810 may be fromeither data model object http_request or data model object http_success.Further, in at least one of the various embodiments, user-interface 1800may enable a user to perform actions and/or operations on constraints,such as, adding constraints, previewing constraints, renamingconstraints, deleting constraints, or the like.

In at least one of the various embodiments, constraint 1818 may beassociated directly with page_view 1808 rather than being provided by aparent data model object. In at least one of the various embodiments,data model objects may have more or less inherited constraints anddirect constraints than depicted in FIG. 18.

In at least one of the various embodiments, properties section 1806includes the properties that may be associated with the selected datamodel object (e.g., page_view 1808). In at least one of the variousembodiments, properties displayed here may correspond to fields of adata model object. In at least one of the various embodiments, inheritedproperties 1812 may be supplied by the parent data model objects of theselected data model object. For example, in at least one of the variousembodiments, page_view 1808 is a child of http_success and in turnhttp_success is a child of http_request. Thus, in at least one of thevarious embodiments, inherited properties 1812 may be from eitherhttp_request or http_success. Further, in at least one of the variousembodiments, user-interface 1800 may enable a user to perform actions onproperties, such as, extracting, previewing, removing, or the like.

In at least one of the various embodiments, extraction property 1814shows a property that may be associated directly with data model objectpage_view 1808 rather than being provided by a parent data model object.In at least one of the various embodiments, properties may also includefunctions or calculations such as Function 1816. In at least one of thevarious embodiments, data model objects may have more or less inheritedproperties and direct properties than depicted in FIG. 18.

In at least one of the various embodiments, if a user may be viewing orreporting on an data model object, it may be less important whether agiven field definition is inherited from a parent data model object or“owned” by the current data model object. However, in at least one ofthe various embodiments, for user-interfaces that enable editing of thedata model objects, fields that may be owned by the current data modelobject may be available for edit whereas inherited fields may be treatedas read-only. In at least one of the various embodiments, this may applysimilarly to constraints, or other inheritable characteristics.

FIG. 19 illustrates user-interface 1900 that may be used for generatingpivot reports in accordance with at least one of the variousembodiments. In at least one of the various embodiments, users mayselect data model objects that the data modeling application may employto generate a pivot report and/or pivot report model. In at least one ofthe various embodiments, if a data model object may be selected, one ormore of the fields (e.g., properties) associated with the data modelobject may be displayed and/or made available for selection. In at leastone of the various embodiments, properties associated with the selecteddata model object may be selected and added to a pivot report model.

In at least one of the various embodiments, pivot reports may begenerated for a defined range of time. In at least one of the variousembodiments, a date-time range selector, such as selector 1912 may beemployed to determine the relevant data-time range for the pivot report.

For example, in at least one of the various embodiments, data modelobject 1902 (HTTP_SUCCESS) may be selected. Thus, in at least one of thevarious embodiments, fields and other properties associated withHTTP_SUCCESS 1902 may be made available to the user. In at least one ofthe various embodiments, some fields, such as bytes 1914 may bedesignated as column values for the pivot report. In at least one of thevarious embodiments, other fields such as host 1916 may be designated asrow fields for the pivot report.

In at least one of the various embodiments, if a user initiates thegeneration a pivot report after selecting a new date-range, the datamodeling application may generate a new query string and execute itagainst the data repository. In other cases, in at least one of thevarious embodiments, the data modeling application may filter apreviously obtained result set using the new data-range.

In at least one of the various embodiments, the column fields and rowfields determine the layout of the pivot report. In at least one of thevarious embodiments, each pivot report may have at least one row and onecolumn.

In at least one of the various embodiments, user-interface 1900 may be adrag-and-drop interface that allows a user to design a pivot reportbased on a set of properties generated based on the fields on the datamodel object associated with an underlying data model. In at least oneof the various embodiments, user-interface 1900 may define four sectionsthat may comprise the building blocks of a pivot report.

In at least one of the various embodiments, Filters 1904 may be optionalrestrictions that may be placed on the search results and employed bythe data modeling application if a pivot report is generated. Forexample, in at least one of the various embodiments, users may employregular expressions to identify and/or remove events where the mediatype corresponds to an image resource.

In at least one of the various embodiments, cell values 1906 may beemployed to determine the operations used to calculate the values foreach cell in the report. For example, in at least one of the variousembodiments, the user and/or data modeling application may determinethat the cell value should include the count of all page views events.As illustrated in user-interface 1900, in at least one of the variousembodiments, cell values include the sum of the field “bytes” 1920 andthe count of field “http_successes” 1922.

In at least one of the various embodiments, split rows 1908 may beemployed to determine how the rows of the pivot report may be split up.For example, in at least one of the various embodiments, user-interface1900 may employ host field 1916 as a split row which results in rows1918 in the pivot report corresponding to each unique value for includedin the host field.

In at least one of the various embodiments, split columns 1910 may beemployed to determine how the columns in the pivot report may bedivided. For example, in at least one of the various embodiments, bytesfield 1916 and number of http_successes field 1924 may be selected assplit columns for pivot report 1900.

Illustrative Data Modeling Code

FIGS. 20-21 represents data modeling programming code illustrative of atleast one of the various embodiments. FIG. 20 includes a code listing ofdata model object 2000 that implements at least a portion of a pivotreport template. In at least one of the various embodiments, pivotreport template 2000 may be implemented using various computerprogramming languages, such as, C, C++, Perl, Python, Java, JavaScript,or the like. For example, pivot report model 2000, as shown isimplemented in JavaScript Object Notation (JSON).

In at least one of the various embodiments, the base class in thisexample pivot report template may be “ApacheAccessSearch” 2002.Likewise, in at least one of the various embodiments, each pivot reporttemplate may include an attribute that indicates the data model that thereport model may be associated with. For example, in at least one of thevarious embodiments, pivot report model 2000 may be included in datamodel WebIntelligence as indicated by attribute 2004.

In at least one of the various embodiments, filters 2006 may be an arrayor list of filters that may be included in a pivot report template.Further, in at least one of the various embodiments, cells 2008 may bean array or list of cell value definitions for a pivot report template.Also, in at least one of the various embodiments, rows 2010 may be anarray or list that may include the split rows for a pivot report. In atleast one of the various embodiments, columns 2012 may be an array orlist that may include the split columns for a pivot report.

FIG. 21 includes a code listing of a portion of a data model 2100 inaccordance with at least one of the various embodiments. In at least oneof the various embodiments, data model 2100 may be implemented invarious computer programming languages, such as, C, C++, Perl, Python,Java, JavaScript, or the like. For example, data model 2100 isimplemented in Python.

In at least one of the various embodiments, a data model implementationmay define one or more data model objects. In at least one of thevarious embodiments, each data model object may have a defined parentdata model object and a set of fields. For example, in at least one ofthe various embodiments, data model object 2102 is a portion of computerprogramming code that may define a data model object of HTTP_Requestthat has a parent object of Event. Further, in at least one of thevarious embodiments, data model object 2102 defines fields forHTTP_Request, including uri, clientip, and referrer.

For example, in at least one of the various embodiments, additional datamodel objects may be defined including, HTTP_Success 2104 (a child ofHTTP_Request 2102), HTTP_Error 2106 (a child of HTTP_Request 2102),HTTP_Redirect 2108 (a child of HTTP_Request), PageView 2110 (a child ofHTTP_Success 2108).

In at least one of the various embodiments, if an object orientedprogramming language such as, Python, C++, JavaScript, or the like, maybe employed. In at least one of the various embodiments, one or morenative object oriented programming features of the programming languagemay be employed to implement/support the object oriented characteristicsof the data models, such as, parent-child relationships between datamodel objects. Otherwise, in at least one of the various embodiments, ifnon-object oriented languages may be employed, such as, C, Perl, or thelike, well-known programming techniques may be employed to implementsufficient object-oriented functionality.

It will be understood that figures, and combinations of actions in theflowchart-like illustrations, can be implemented by computer programinstructions. These program instructions may be provided to a processorto produce a machine, such that the instructions executing on theprocessor create a means for implementing the actions specified in theflowchart blocks. The computer program instructions may be executed by aprocessor to cause a series of operational actions to be performed bythe processor to produce a computer implemented process for implementingthe actions specified in the flowchart block or blocks. These programinstructions may be stored on some type of machine readable storagemedia, such as processor readable non-transitive storage media, or thelike.

Furthermore, it will be understood that for at least one of the variousembodiments, various types of data may be received and processed asdescribed and claimed herein. And, at least one of the variousembodiments is not limited to processing machine data.

The invention claimed is:
 1. A method, comprising: selecting one or moredata models among a plurality of data models based on data beinganalyzed from a specific data source among a plurality of data sources,the one or more data models representing a view of the data associatedwith the specific data source, the data comprising a plurality oftime-stamped, searchable events, each event in the plurality oftime-stamped, searchable events including a portion of unstructured rawmachine data reflecting activity in an information technologyenvironment; causing display, in a graphical user interface, of arepresentation of one or more objects that are included in the one ormore data models; receiving a selection of a first object representationof a first object among the representation of the one or more objectsvia the graphical user interface; based on the first objectrepresentation, retrieving, from computer memory, a previously storedobject query and an object schema associated with the first objectrepresentation; retrieving a set of time-stamped, searchable events fromthe data using the object query; and extracting first field values fromone or more fields, identified by the object schema, in portions ofunstructured raw machine data in the set of time-stamped, searchableevents; wherein the method is performed by one or more computingdevices.
 2. The method of claim 1, further comprising: executing asearch query across the first field values that produces a result basedat least in part on the data reflecting the activity of the informationtechnology environment; wherein the result is indicative of aperformance of the information technology environment.
 3. The method ofclaim 1, further comprising: executing a search query across the firstfield values that produces a result based at least in part on the datareflecting the activity of the information technology environment;wherein the result is indicative of a security of the informationtechnology environment.
 4. The method of claim 1, further comprising:executing a search query across the first field values that produces aresult based at least in part on the data reflecting the activity of theinformation technology environment; wherein the result is based on anaggregate of values for a field included in the object schema.
 5. Themethod of claim 1, further comprising: executing a search query acrossthe first field values that produces a result based at least in part onthe data reflecting the activity of the information technologyenvironment; and causing display of the result.
 6. The method of claim1, further comprising: executing a search query across the first fieldvalues that produces a result based at least in part on the datareflecting the activity of the information technology environment; andcausing display of the result in a table.
 7. The method of claim 1,further comprising: executing a search query across the first fieldvalues that produces a result based at least in part on the datareflecting the activity of the information technology environment; andcausing display of the result in a graphical visualization.
 8. Themethod of claim 1, further comprising: executing a search query acrossthe first field values that produces a result based at least in part onthe data reflecting the activity of the information technologyenvironment; and causing an alert or notification based on the result.9. The method of claim 1, further comprising: executing a search queryacross the first field values that produces a result based at least inpart on the data reflecting the activity of the information technologyenvironment; and causing execution of an action based on the result. 10.The method of claim 1, wherein the first object is a root object. 11.The method of claim 1, wherein the first object is a child object. 12.The method of claim 1, wherein the first object representation refers toa root object whose object query provides for broader search criteriathan an object query of a child object that is also included in the datamodel and is selectable via the graphical user interface.
 13. The methodof claim 1, wherein the first object representation refers to a childobject whose object query provides for narrower search criteria than anobject query of a root object that is also included in the data modeland is selectable through the graphical user interface.
 14. The methodof claim 1, further comprising: executing a search query across thefirst field values that produces a result based at least in part on thedata reflecting the activity of the information technology environment;and populating a second graphical user interface with data-manipulationcontrols that correspond to the one or more fields identified in theobject schema for the first object, wherein the second graphical userinterface enables a user to modify the search query via thedata-manipulation controls.
 15. The method of claim 1, furthercomprising: executing a search query across the first field values thatproduces a result based at least in part on the data reflecting theactivity of the information technology environment; wherein the searchquery includes event-filtering criteria different than filteringcriteria of the object query; and populating a second graphical userinterface with data-manipulation controls that correspond to the one ormore fields in the object schema for the first object, wherein thesecond graphical user interface enables a user to modify theevent-filtering criteria via the data-manipulation controls.
 16. Themethod of claim 1, further comprising: executing a search query acrossthe first field values that produces a result based at least in part onthe data reflecting the activity of the information technologyenvironment; wherein the search query produces the result based at leastin part on an aggregate of values for a field included in the objectschema; and populating a second graphical user interface withdata-manipulation controls that correspond to the one or more fields inthe object schema for the first object, wherein the second graphicaluser interface enables a user to modify the search query and specify theaggregate via the data-manipulation controls.
 17. The method of claim 1,further comprising: executing a search query across the first fieldvalues that produces a result based at least in part on the datareflecting the activity of the information technology environment;populating a second graphical user interface with data-manipulationcontrols that correspond to the one or more fields in the object schemafor the first object; and receiving, through the second graphical userinterface, a selection of a graphical visualization format fordisplaying the result.
 18. The method of claim 1, further comprising:executing a search query across the first field values that produces aresult based at least in part on the data reflecting the activity of theinformation technology environment; wherein the search query is selectedby a user from a displayed list of pre-defined queries.
 19. Anon-transitory computer-readable storage medium including instructionsthat, when executed by a processor, cause the processor to perform thesteps of: selecting one or more data models among a plurality of datamodels based on data being analyzed from a specific data source among aplurality of data sources, the one or more data models representing aview of the data associated with the specific data source, the datacomprising a plurality of time-stamped, searchable events, each event inthe plurality of time-stamped, searchable events including a portion ofunstructured raw machine data reflecting activity in an informationtechnology environment; causing display, in a graphical user interface,of a representation of one or more objects that are included in the oneor more data models; receiving a selection of a first objectrepresentation of a first object among the representation of the one ormore objects via the graphical user interface; based on the first objectrepresentation, retrieving, from computer memory, a previously storedobject query and an object schema associated with the first objectrepresentation; retrieving a set of time-stamped, searchable events fromthe data using the object query; and extracting first field values fromone or more fields, identified by the object schema, in portions ofunstructured raw machine data in the set of time-stamped, searchableevents.
 20. The non-transitory computer-readable storage medium of claim19, further comprising: executing a search query across the first fieldvalues that produces a result based at least in part on the datareflecting the activity of the information technology environment;wherein the result is indicative of a performance of the informationtechnology environment.
 21. A non-transitory computer readable storagemedium including computer program instructions that, when executed on aprocessor, implement a method comprising: selecting one or more datamodels among a plurality of data models based on data being analyzedfrom a specific data source among a plurality of data sources, the oneor more data models representing a perspective of the data associatedwith the specific data source, the data comprising a plurality of timestamped events, each event in the plurality of time stamped eventsincluding a portion of unstructured raw machine data reflecting activityin an information technology environment; causing display, in anobject-selection interface, of one or more objects that are included inthe one or more data models; receiving, from a user via theobject-selection interface, a selection of a first object among the oneor more objects included in the one or more data models; and retrieving,from computer memory, a previously stored object definition thatcorresponds to the first object, wherein the previously stored objectdefinition includes: an object query that, when executed, retrieves aset of time stamped events from a data store on a computing device, eachevent including a portion of unstructured raw machine data reflectingactivity in an information technology environment; and an object schemaidentifying a set of one or more fields included in the unstructured rawmachine data.
 22. The computer readable medium of claim 21, furthercomprising: executing, against events in the data store that meetfiltering criteria of the object query, a search query that referencesonly field values that are extracted using the object schema and thatproduces a result, wherein the result is indicative of a performance ofan information technology environment or a security of an informationtechnology environment.
 23. The computer readable medium of claim 21,implementing the method further comprising: executing, against events inthe data store that meet filtering criteria of the object query, asearch query that references only field values that are extracted usingthe object schema and that produces a result; and populating a pivotgraphical user interface with data-manipulation controls that correspondto the set of the one or more fields identified in the object schema forthe first object, wherein the pivot graphical user interface enables auser to modify the search query via the data-manipulation controls. 24.The computer readable medium of claim 21, further comprising: executing,against events in the data store that meet filtering criteria of theobject query, a search query that references only field values that areextracted using the object schema and that produces a result, whereinthe search query is produced by a user through a pivot graphical userinterface.
 25. A system including one or more processors coupled tomemory, the memory loaded with computer instructions that, when executedon the processors, implement the steps of: selecting one or more datamodels among a plurality of data models based on data being analyzedfrom a specific data source among a plurality of data sources, the oneor more data models representing a view of the data associated with thespecific data source, the data comprising a plurality of time stampedevents, each event in the plurality of time stamped events including aportion of unstructured raw machine data reflecting activity in aninformation technology environment; causing display, in anobject-selection interface, of one or more objects that are included inthe one or more data models; receiving, from a user via theobject-selection interface, a selection of a first object among the oneor more objects included in the one or more data models; retrieving,from computer memory, a previously stored object definition thatcorresponds to the first object, wherein the previously stored objectdefinition includes: an object query that, when executed, retrieves aset of time stamped events from a data store on a computing device, eachevent including a portion of unstructured raw machine data reflectingactivity in an information technology environment; and an object schemaidentifying a set of one or more fields included in the unstructured rawmachine data.
 26. The system of claim 25, further comprising: executing,against events in the data store that meet filtering criteria of theobject query, a search query that references only field values that areextracted using the object schema and that produces a result, whereinthe result is indicative of a performance of an information technologyenvironment or a security of an information technology environment. 27.The system of claim 25, further comprising: executing, against events inthe data store that meet filtering criteria of the object query, asearch query that references only field values that are extracted usingthe object schema and that produces a result; and populating a pivotgraphical user interface with data-manipulation controls that correspondto the set of one or more fields in the object schema for the firstobject, wherein the pivot graphical user interface enables a user tomodify the search query via the data-manipulation controls.
 28. Thesystem of claim 25, further comprising: executing, against events in thedata store that meet filtering criteria of the object query, a searchquery that references only field values that are extracted using theobject schema and that produces a result, wherein the search query isproduced by a user through a pivot graphical user interface.
 29. Thenon-transitory computer-readable storage medium of claim 19, furthercomprising: executing a search query across the first field values togenerate a result based at least in part on the data reflecting theactivity of the information technology environment, wherein the searchquery includes event-filtering criteria different than filteringcriteria of the object query; and populating a second graphical userinterface with data-manipulation controls that correspond to the one ormore fields included in the object schema for the first object, whereinthe second graphical user interface enables a user to modify theevent-filtering criteria via the data-manipulation controls.
 30. Thenon-transitory computer-readable storage medium of claim 19, furthercomprising: executing a search query across the first field values togenerate a result based at least in part on the data reflecting theactivity of the information technology environment, wherein the searchquery is selected by a user from a displayed list of pre-definedqueries.